Recovering from a Cyberattack

In an article for CIO by Cheng Lim, partner at law firm King & Wood Mallesons, and head of its cyber-resilience initiative, discusses five crucial steps that companies must take in the aftermath of a cyberattack.

Step 1: Keep calm and assemble a taskforce

Make sure that clear heads prevail, rather than playing the blame game, says Lim.

“You need a clear, pre-determined response protocol in place to help people focus in what can be a high pressure situation and your incident management plan should follow this protocol,” says Lim.

Appoint a clear cut leader of your taskforce, (“obvious choices are your CIO or chief risk officer,” says Lim), who has the power to make decisions or access to those who do. Keep IT, corporate affairs, the chief privacy officer and legal department apprised in case they have to deal with those outside the company. And if your company doesn’t have any of these positions or capabilities, seek outside help, says Lim.

Step 2: Contain the damage

Make sure the cause and extent of the damage is in place, says Lim, who recommends installing patches for viruses and vulnerabilities, resetting passwords for compromised accounts and those with the same access.

Limit or disable network access for compromised computers and wrongdoers, and send recall emails asking people to delete copies or disable links.

Make sure that these steps don’t compromise the investigation of the initial breach, warns Lim.

Step 3: Assess the extent of the damage

Who was affected? “If it’s not possible to tell exactly what data has been compromised, it may be wise to take a conservative approach to estimation,” says Lim.

Can the data be used against the victims?

“If the data contains information that could be used for identity theft or other criminal activity (such as names, dates of birth and credit card numbers) or that could be sensitive (such as medical records), the breach should be treated as more severe,” says Lim. “If the data has been encrypted or anonymised, there is a lower risk of harm.”

Was it on purpose? “If there has been a deliberate hacking, rather than an inadvertent breach of security, then the consequences for the relevant individuals or organizations could be much more significant,” says Lim.

Step 4: Spread the word

“For serious data security breaches, proactive notification is generally the right strategy,” says Lim, who notes that a mandatory notification scheme has been proposed in Australia that will potentially take effect at the end of 2015.

Let people know that they have been compromised so they can take steps such as “changing passwords, cancelling credit cards and monitoring bank statements,” says Lim, who recommends that “notices should be practical, suggesting steps that recipients can take to protect themselves.”

Third parties such as the privacy commissioner or financial institutions may also need to be notified.

Step 5: Stop it from happening in the future

“While customers may understand an isolated failure, they are typically less forgiving of repeated mistakes,” says Lim. “Carry out a thorough post-breach audit to determine whether your security practices can be improved.”

Lim recommends hiring a data security consultant to give you a different perspective (and show customers you are taking the breach seriously), changing data security policies and training manuals, training personnel about the new policies and ensuring new and existing service providers are compliant.